Adaptive timeouts for security credentials
First Claim
1. A system, comprising:
- at least one processor; and
memory storing instructions that, when executed by the at least one processor, cause the system to;
receive, from a client, a first request seeking access to at least one resource using at least one security credential;
authenticate the client based at least in part on the at least one security credential;
send the client a session token, generated by the system, that includes a first value and a session identifier for a session initiated based in part on the authentication;
receive, from the client, a second request along with the session token;
determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier;
determine the badness factor exceeds a threshold value, the badness factor being within a first range;
process the second request based in part on, the badness factor being within the first range;
determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; and
send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor.
0 Assignments
0 Petitions
Accused Products
Abstract
Session-specific information stored to a cookie or other secure token can be selected and/or caused to vary over time, such that older copies will become less useful over time. Such an approach reduces the ability of entities obtaining a copy of the cookie from performing unauthorized tasks on a session. A cookie received with a request can contain a timestamp and an operation count for a session that may need to fall within an acceptable range of the current values in order for the request to be processed. A cookie returned with a response can be set to the correct value or incremented from the previous value based on various factors. The allowable bands can decrease with age of the session, and various parameter values such as a badness factor for a session can be updated continually based on the events for the session.
65 Citations
20 Claims
-
1. A system, comprising:
-
at least one processor; and memory storing instructions that, when executed by the at least one processor, cause the system to; receive, from a client, a first request seeking access to at least one resource using at least one security credential; authenticate the client based at least in part on the at least one security credential; send the client a session token, generated by the system, that includes a first value and a session identifier for a session initiated based in part on the authentication; receive, from the client, a second request along with the session token; determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier; determine the badness factor exceeds a threshold value, the badness factor being within a first range; process the second request based in part on, the badness factor being within the first range; determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; and send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor. - View Dependent Claims (2, 3, 4, 5, 6, 7)
-
-
8. A computer-implemented method, comprising:
-
receiving, from a client, a first request seeking access to at least one resource using at least one security credential; authenticating the client based at least in part on the at least one security credential; sending the client a session token, generated by a server, that includes a first value and a session identifier for a session initiated based in part on the authentication; receiving, from the client, a second request along with the session token; determining a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier; determining the badness factor exceeds a threshold value, the badness factor being within a first range; processing the second request; determining a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; sending, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor. - View Dependent Claims (9, 10, 11, 12, 13, 14)
-
-
15. A non-transitory computer-readable storage medium including instructions that, when executed by at least one processor of a computing device, cause the computing device to:
-
receive, from a client, a first request seeking access to at least one resource using at least one security credential; authenticate the client based at least in part on the at least one security credential; send the client a session token, generated by the computing device, that includes a first value and a session identifier for a session initiated based in part on the authentication; receive, from the client, a second request along with the session token; determine a badness factor, corresponding to a tolerance to incorrect information, based at least in part on a comparison of the first value of the session token and a second value that is associated with a reference computer, the session identified at least in part by the session identifier; determine the badness factor exceeds a threshold value, the badness factor being within a first range; process the second request; determine a second range, based at least in part on the badness factor exceeding the threshold value, the second range having a smaller acceptable deviation than the first range; send, to the client, an updated session token including an updated first value, the updated first value differing from the second value by an amount based at least in part on the badness factor. - View Dependent Claims (16, 17, 18, 19, 20)
-
Specification